Privacy Policy

Chapter Inc. (“Chapter”, “we”, “us”, or “our”) operates Vargus (the “Service”), an AI-native QA testing toolchain consisting of an open-source command-line tool, a web dashboard at vargus.com, and related services. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the choices available to you.

We are committed to handling personal data in accordance with the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable privacy laws.

1. Who we are

The data controller responsible for your personal data is Chapter Inc., a Delaware corporation. You can contact us at hello@chapter.com for any privacy-related request, including to exercise the rights described below.

2. Information we collect

2.1 Information you provide to us

• Account data. If you create an account, we collect your name, email address, and a hashed password (or, if you sign in through a third-party identity provider such as GitHub, a unique identifier returned by that provider).
• Billing data. If you subscribe to a paid plan, our payment processor collects your payment details, billing address, and tax information. We do not store full payment card numbers.
• Support and communications. If you email us, open a GitHub issue, or otherwise contact us, we retain the content of your message and any attachments so we can respond and keep a record.

2.2 Information collected automatically

• Usage and device data. When you visit the website or sign in to the dashboard, we automatically collect log data such as IP address, browser type, operating system, referring URL, pages viewed, and timestamps.
• CLI telemetry. The Vargus command-line tool may send anonymous, aggregated telemetry about command usage, error classifications, run durations, and environment metadata (for example Node.js version). No source code, file contents, test scenarios, environment variables, or application data are transmitted as part of telemetry. You can disable telemetry at any time by setting VARGUS_TELEMETRY=0 or through the configuration file.
• Cookies and similar technologies. We use a small number of first-party cookies that are strictly necessary to keep you signed in and remember your preferences. We do not use advertising cookies. See section 7 for details.

2.3 Information from third parties

If you sign in through GitHub or another identity provider, we receive the profile information that you authorize that provider to share (typically your name, email, avatar URL, and account ID).

3. How we use your information

We use the personal data we collect to:

• provide, operate, maintain, and secure the Service;
• create and manage your account and authenticate you;
• process payments and prevent fraud;
• respond to your support requests and communicate with you about the Service;
• monitor usage, diagnose technical issues, and improve the Service;
• send you service announcements, security alerts, and administrative messages;
• with your consent, send you occasional product updates (you can unsubscribe at any time); and
• comply with our legal obligations, enforce our Terms, and defend our rights.

4. Legal bases for processing (EEA and UK)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract – to provide the Service you have requested or to take pre-contractual steps at your request (for example creating an account).
• Legitimate interests – to secure the Service, prevent abuse, understand how the Service is used, and improve it, balanced against your rights and freedoms.
• Consent – for optional communications and for any non-essential cookies (where applicable). You can withdraw consent at any time.
• Legal obligation – to comply with tax, accounting, and other statutory obligations.

5. Sharing your information

We do not sell your personal data. We share it only in the following limited circumstances:

5.1 Service providers

We use a small number of carefully selected processors to run the Service. Each is bound by a written data processing agreement and may only process your data on our instructions. The main categories are:

• Hosting and infrastructure: Vercel Inc. (website and dashboard hosting) and Amazon Web Services (storage and compute for the backend).
• Authentication: GitHub, Inc. (when you sign in through GitHub).
• Payments: Stripe, Inc. (subscription billing and tax).
• Email delivery: a transactional email provider used for account and support emails.
• Error monitoring and analytics: privacy-respecting error and usage analytics services that process anonymised or pseudonymised data.
• AI model providers: Anthropic, PBC processes the prompts that Vargus sends to generate or execute tests on your behalf. Anthropic does not train on API inputs or outputs by default. See section 6 for more.

5.2 Legal and safety

We may disclose information if we are required to do so by law, legal process, or a valid government request, or where we believe in good faith that disclosure is necessary to prevent imminent harm, investigate fraud, or protect our rights.

5.3 Business transfers

If Chapter Inc. is involved in a merger, acquisition, financing, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any new privacy practices that apply to your data.

6. How AI model providers process your prompts

Vargus sends the testing prompts you trigger (including test scenarios, CLI outputs, and URLs of systems under test) to Anthropic’s API so that the underlying AI model can generate or execute tests. These prompts may contain data from your application and its environment, including any content your tests interact with.

By default, Anthropic processes API requests only to return a response and does not use them to train its models. We recommend that you do not include sensitive personal data, credentials, or regulated data in test scenarios unless you have a lawful basis to do so and have assessed the risk. You are responsible for the content of the prompts Vargus sends on your behalf.

7. Cookies

We use a small number of cookies that are strictly necessary for the Service to function (such as keeping you signed in and remembering your theme preference). We do not use advertising cookies or cross-site tracking cookies. Where required by law, we will ask for your consent before setting any non-essential cookies.

8. Data retention

We keep personal data only for as long as we need it for the purposes described in this policy. In broad terms:

• account data is retained for as long as your account is active and for up to 24 months thereafter;
• billing records are retained for as long as required by applicable tax and accounting laws (typically 7 years);
• website and dashboard logs are retained for up to 90 days;
• aggregated telemetry is retained in anonymised form and cannot be linked back to you.

When we no longer need personal data, we delete it or irreversibly anonymise it.

9. Your rights

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• correct inaccurate personal data;
• delete your personal data (the “right to be forgotten”);
• restrict or object to processing;
• receive a copy of your personal data in a portable format;
• withdraw consent at any time where we rely on consent;
• lodge a complaint with your local data protection authority.

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information within the meaning of the CCPA/CPRA.

To exercise any of these rights, email hello@chapter.com. We will respond within the time frame required by applicable law.

10. International data transfers

Chapter Inc. is based in the United States and uses service providers located in the United States and other countries. When we transfer personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.

11. Security

We use commercially reasonable administrative, technical, and physical measures to protect personal data, including encryption in transit, encryption at rest for stored credentials, least-privilege access controls, and continuous monitoring. No system is perfectly secure; if you believe your account has been compromised, please contact us immediately.

12. Children’s privacy

The Service is intended for professional developers and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Third-party links

The Service may contain links to third-party websites or services that we do not operate. This Privacy Policy does not apply to those sites, and we are not responsible for their content or privacy practices. We encourage you to review the privacy policies of any third party before providing them with personal data.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page and, where the changes are material, notify you by email or through the Service at least 14 days before they take effect. Your continued use of the Service after that date constitutes acceptance of the updated policy.

15. Contact us

If you have questions about this Privacy Policy or how we handle your personal data, please contact us at hello@chapter.com.